wireless 1Q trunking bridge constructed with Cisco Model 3602 access points |
Howto get a 1Q trunk across the air gap using Cisco wireless access points. (note it actually IS hard to do)
by ralph klimek VK3ZZC May-2014
these
configs will permit you to construct a air bridge that can ferry a
complete 1Q trunk across an air gap. It
uses standard autonomous firmware, full wpa2 PSK encryption
and will
transport a defined set of vlans whilst providing full
remote management of the bridges. You will have to
purchase/get/find the autonomous firmware yourself as I cannot supply
it due to legal peril. There are excellent Russian archives of
firmwares , or you will have to find a friendly CCIE.
Due
to the complexity of the configuration you must make a rational
decision about precisely which vlans you want trunked. There is
no known configuration options that just transports all of them without
micromanagement. If you require
this level of simplicity you must purchase a specific air-bridge
product. Why cant I just increase the mtu to accomodate a 1Q
trunk
? Tried that too, no good. It appears that the "wap" product firmware will
arbitarily drop a 1Q tagged frame unless told otherwise. The more
expensive "bridge" product may just forward a trunk without further
ado , I cannot prove that as I do not have the "bridge" model
available.
You must also configure the switch
feeding your air bridging waps with some care so that your
management vlan is egressed without its vlan tags, it must
appear on the native (untagged) interface, normally it is vlan 1.
This config was
proven to work on the Model 3602, version
ap3g2-k9w7-tar.152-4.JB3a.tar , fiddling around may be required
on other Cisco wap models.
The
motivation for this project was the aquisition of leases to two
adjoining biuldings in the city by Monash. As expected, there was
a requirement that our clients in these co-joined biuldings have a
network connection to each other. The floor spaces were separated
by a one meter air gap and two 1/2 meter thicknesses of load bearing
masonary. The cost of running a fibre link between these
two leased sites was mind-bogglingly large. Boring a hole between two
adjacent mult-story city biuldings was left out of my job
description. So we "burned" a "hole" using this radio link.
I
am implementing this scenario, two remote sites, I am wanting to send a
1Q trunk complete with switch and radio managmement and assorted
production data vlans over an air gap | |
|
bridge one, "near" bridge config | bridge one, "remote" bridge config | comments | ! ! Last configuration change at 04:39:59 UTC Fri Jun 22 2012 version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname monash-college-near ! ! logging rate-limit console 9 enable secret 5 $1$ZbtD$amhH0VjhSfI. ! no aaa new-model no ip cef ip domain name ralphcor ! ! ! ! dot11 syslog ! dot11 ssid monash-collage-bridge1 vlan 1 authentication open authentication key-management wpa version 2 guest-mode infrastructure-ssid wpa-psk ascii 7 013E09your text here0A5A184581E58 ! ! dot11 guest ! ! ! username Cisco password 7 06250634F41 username ralphk password 7 0327210500 ! ! bridge irb ! ! ! interface Dot11Radio0 no ip address ! encryption mode ciphers aes-ccm ! encryption vlan 1 mode ciphers aes-ccm ! ssid monash-college-bridge1 ! antenna gain 0 stbc speed
basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0
basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3.
m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18.
m19. m20. m21. m22. m23. station-role root bridge ! interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 ! interface Dot11Radio0.13 encapsulation dot1Q 13 bridge-group 13 ! interface Dot11Radio0.111 encapsulation dot1Q 111 bridge-group 111 ! interface Dot11Radio0.133 encapsulation dot1Q 133 bridge-group 133 ! interface Dot11Radio1 no ip address shutdown antenna gain 4 peakdetect no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface GigabitEthernet0 no ip address duplex auto speed auto ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native bridge-group 1 ! interface GigabitEthernet0.13 encapsulation dot1Q 13 bridge-group 13 ! interface GigabitEthernet0.111 encapsulation dot1Q 111 bridge-group 111 ! interface GigabitEthernet0.133 encapsulation dot1Q 133 bridge-group 133 ! interface BVI1 ip address 10.10.10.211 255.255.255.0 ipv6 address dhcp ipv6 address autoconfig ! ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ! ! bridge 1 route ip ! ! ! line con 0 line vty 0 4 login local transport input all ! end | ! ! Last configuration change at 11:36:16 UTC Sat Jun 23 2012 version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname monash-college-far ! ! logging rate-limit console 9 enable secret 5 $1$WmKE$uzv3mgqnGbzqilH101 ! no aaa new-model no ip cef ip domain name ralphcor ! ! ! ! dot11 syslog ! dot11 ssid monash-collage-bridge1 vlan 1 authentication open authentication key-management wpa version 2 guest-mode infrastructure-ssid wpa-psk ascii 7 013E0your text here5A180E21241E58 ! ! dot11 guest ! ! ! username Cisco password 7 080455D0A16 username ralphk password 7 00271A15754 ! ! bridge irb ! ! ! interface Dot11Radio0 no ip address ! encryption mode ciphers aes-ccm ! encryption vlan 1 mode ciphers aes-ccm ! ssid monash-college-bridge1 ! antenna gain 0 stbc station-role non-root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 ! interface Dot11Radio0.13 encapsulation dot1Q 13 bridge-group 13 ! interface Dot11Radio0.111 encapsulation dot1Q 111 bridge-group 111 ! interface Dot11Radio0.133 encapsulation dot1Q 133 bridge-group 133 ! interface Dot11Radio0.666 encapsulation dot1Q 666 bridge-group 255 ! interface Dot11Radio1 no ip address shutdown antenna gain 0 peakdetect no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface GigabitEthernet0 no ip address duplex auto speed auto ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 spanning-disabled ! interface GigabitEthernet0.13 encapsulation dot1Q 13 bridge-group 13 ! interface GigabitEthernet0.111 encapsulation dot1Q 111 bridge-group 111 ! interface GigabitEthernet0.133 encapsulation dot1Q 133 bridge-group 133 ! interface GigabitEthernet0.666 encapsulation dot1Q 666 bridge-group 255 ! interface BVI1 ip address 10.10.10.213 255.255.255.0 ipv6 address dhcp ipv6 address autoconfig ipv6 enable ! ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ! ! bridge 1 route ip ! ! line con 0 line vty 0 4 login local transport input all ! end | factory default boilerplare
!give yourself a unique hostname
set your own enable password
set a unique ip domain name so that ssh will work after you create the keys
send syslog messages, you have to supply the syslog server
set your own unique infrastructure-ssid wap to wap authentication can only happen on Vlan1 use "open" standards compliant authentication tell the wap to use wpa2 probably redundant, you dont not actually need guest mode inform IOS that this wappage will only associate to another wappage set YOUR one pre shared session key
probably redundant, you dont not actually need guest mode
set your own usernames and session passwords
enable bridging, its is in the boilerplate but if not, add it
this
is the tase config that tells the physcal radio interface how to use
the encryption . It can only happen on the native vlan 1 bridge group
this keyword cipher permits wpa2 ciphers aes-ccm is cisco speak for wpa2
assoicated this ciper method to an encryption process attached to vlan 1
associate
the encrytpion method and cipher to an ssid (recall that a Cisco
wap may present multiple ssids to the air interface
I have no idea what stbc means, but it make this stuff work for wireless bridging one wap must be "root bridge" the peer wap must be "non root bridge"
a radio subinterface must be configured for the native vlan 1 even though it exists
be default on the physcial radio allready. We permit a vlan to egress
the radio air interface by naming and configuring the
subinterfaces. This bit is boiler plate and MUST be present or else the
waps cannot associate
Dot11Radio0.13 is the first production vlan to traverse the links
you may invoke int Dot11radio0.anything you may invoke encapulation dot1Q anything bridge
groups are only valid between <1-255> to you must manually and
carfeilly manage your vlan to bridge group associattions
this radio has another inbuild 5Ghz radio which will not be used this time the ethernet native interface requires allmost no config. Everything is done on the subinterfaces.
this
permits the native vlan 1 egress onto your 1Q trunk. It permits remote
management of your air bridges. Bridge group 1 is not optional, you
cannot reasign or reuse it for unauthorised purposes. The management is tied to interface BVI1 and also cannot be reassigned !
vlan 13 is a production traffic vlan
vlan 111 is a production traffic vlan
vlan 133 is a production traffic vlan
vlan 666 is going nowhere ! There can be no bridge group 666 so we have to associate to some other bridge group number.
in
band management MUST go to BVI1 here. You cannot associate the
console/management process to BVI13 or other. It just does not
seem to work Here at work we also do IPV6. Why arent you ?
I
honestly do not know what ip forward-protocol nd means. It is
part of the default IOS factory reset default factory config At monash we disable inbuilt web servers for security,but use only for inital setting up
this tells the virutal bridge one to enable a TCPIP process
set
your own vty parameters. dont forget to set an access list for
vty ports because you do not want the entire internet to manage YOUR
bridge.
dont forget to UNSHUT all your production interfaces. They may come up in shutdown state by default
think of bridge groups as a collection of completely standalone virtual ethernet switches
| config of nearby router 1Q trunk | config of far switch's 1Q trunk | comments | interface GigabitEthernet1/0/24 switchport trunk encapsulation dot1q switchport trunk native vlan 11 switchport trunk allowed vlan 11,13,111,133 switchport mode trunk switchport nonegotiate | interface GigabitEthernet1/0/24 switchport trunk encapsulation dot1q switchport trunk native vlan 11 switchport trunk allowed vlan 11,13,111,133 switchport mode trunk switchport nonegotiate | vlan 11 is my chosen "switch management" vlan so it goes on the wire as a native untagged. It still must be permitted on the egress list ! When I set mode trunk it will be a trunk no ifs/buts if I also set switchport nonegotiate . the other vlans are "production" vlans . Notice how vlan 11 on the switch and vlan 1 on the wap correctly talk to each other...because they are untagged ! |
|
router one "nearby" config |
! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname test-gateway-two ! boot-start-marker boot-end-marker ! enable secret 5 $1$4CuIWlPMOH1 ! username ralphk password 0 Cisco ! ! no aaa new-model switch 1 provision ws-c3750g-24ts system mtu routing 1500 no ip domain-lookup ip domain-name ralphcor ! ! ! ! ! ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! interface GigabitEthernet1/0/1 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/2 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/3 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/4 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/5 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/6 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/7 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/8 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/9 switchport access vlan 111 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/10 switchport access vlan 111 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/11 switchport access vlan 111 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/12 switchport access vlan 111 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/13 switchport access vlan 133 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/14 switchport access vlan 133 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/15 switchport access vlan 133 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/16 switchport access vlan 133 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 switchport trunk encapsulation dot1q switchport trunk allowed vlan 11,13,111,133 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet1/0/24 switchport trunk encapsulation dot1q switchport trunk native vlan 11 switchport trunk allowed vlan 11,13,111,133 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface GigabitEthernet1/0/27 ! interface GigabitEthernet1/0/28 ! interface Vlan1 no ip address ! interface Vlan11 ip address 10.10.10.253 255.255.255.0 ! interface Vlan13 ip address 13.0.0.253 255.255.255.0 ! interface Vlan111 ip address 111.111.111.253 255.255.255.0 ! interface Vlan133 ip address 133.133.133.253 255.255.255.0 ! ip classless ip http server ip http secure-server ! ! ! ! ! line con 0 line vty 5 15 ! end |
router/switch config for far device |
! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname test-gateway-one ! boot-start-marker boot-end-marker ! enable secret 5 $1$YDdD$LnaG.nfUdQeMqjd03aP30 ! username ralphk password 0 Cisco ! ! no aaa new-model switch 1 provision ws-c3750g-24ts system mtu routing 1500 ip routing no ip domain-lookup ip domain-name ralphcor ! ! ! ! crypto pki trustpoint TP-self-signed-4158367104 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4158367104 revocation-check none rsakeypair TP-self-signed-4158367104 ! ! crypto pki certificate chain TP-self-signed-4158367104 certificate self-signed 01
B5B7BC68 9809D24A E5C33E86 D65E4415 86905623 256849CF 3C3FCEFF D26E4DDC 99BDBE9E 9BFB7A06 D1FD3F51 B4E9A934 B50E3EAA A551A957 0FDAE25E 41FFB7C0 7CC4CF47 F5ABA223 BC6E1021 44D8B826 7D155034 301FBFAA C7E8F1EC C72C33BF D21F9566 1BE49A71 EBBF43B2 07 quit ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! interface GigabitEthernet1/0/1 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/2 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/3 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/4 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/5 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/6 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/7 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/8 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/9 switchport access vlan 111 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/10 switchport access vlan 111 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/11 switchport access vlan 111 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/12 switchport access vlan 111 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/13 switchport access vlan 133 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/14 switchport access vlan 133 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/15 switchport access vlan 133 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/16 switchport access vlan 133 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 switchport trunk encapsulation dot1q switchport trunk allowed vlan 11,13,111,133 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet1/0/24 switchport trunk encapsulation dot1q switchport trunk native vlan 11 switchport trunk allowed vlan 11,13,111,133 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface GigabitEthernet1/0/27 ! interface GigabitEthernet1/0/28 ! interface Vlan1 ip address 10.0.0.1 255.255.255.0 ! interface Vlan11 ip address 10.10.10.254 255.255.255.0 ! interface Vlan13 ip address 13.0.0.254 255.255.255.0 ! interface Vlan111 ip address 111.111.111.254 255.255.255.0 ! interface Vlan133 ip address 133.133.133.254 255.255.255.0 ! ip classless ip http server ip http secure-server ! ! ! ! ! line con 0 line vty 0 4 login line vty 5 15 login ! end |
config notes
the
platform here is a pair 3750 running routing ipservices images.
This is used because I can assign ip address to each vlan
interface. This scenario will not werk using only the ipbase
images (they only permit a management vlan interface to be "UP")
preload
the routers with their all there vlans, then create interfaces. Beware
vlan interfaces do not come "up" untill they are associated with at
lease one physical interface that is UP.
the 1Q trunk interfaces
on port g1/0/23 was used to short circuit the air bridge to test
that spanning tree was working properly. It is ! You may use this
config to run extra parallel trunks for resilience ! We do pvrst+ at monash because it works extremely well.
the
radio recieved signal strength indication RSSI can be read from the
waps with the cli command. The signal strength in this example
represents a test lab scenario where the waps are allmost touching !
In the real world you might expect -50 to -70 dbm for a good
link, -80dbm for a marginal link.
monash-college-near#sho dot11 associations all | inc Signal Signal
Strength : -18
dBm
Connected for : 975 seconds Signal to
Noise : 77
dB
Activity Timeout : 30 seconds monash-college-near#sho dot11 associations all | inc Signal Signal
Strength : -10
dBm
Connected for : 978 seconds Signal to
Noise : 85
dB
Activity Timeout : 30 seconds monash-college-near#sho dot11 associations all | inc Signal Signal
Strength : -9
dBm
Connected for : 1364 seconds Signal to
Noise : 86
dB
Activity Timeout : 30 seconds monash-college-near#
|